[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Gnash-commit] gnash ChangeLog server/swf/ASHandlers.cpp
From: |
Sandro Santilli |
Subject: |
[Gnash-commit] gnash ChangeLog server/swf/ASHandlers.cpp |
Date: |
Sun, 05 Nov 2006 12:05:08 +0000 |
CVSROOT: /sources/gnash
Module name: gnash
Changes by: Sandro Santilli <strk> 06/11/05 12:05:07
Modified files:
. : ChangeLog
server/swf : ASHandlers.cpp
Log message:
* server/swf/ASHandlers.cpp (ActionSubstring): handle
out of range base adn negative or invalid size (overflow
input length when added to base)
CVSWeb URLs:
http://cvs.savannah.gnu.org/viewcvs/gnash/ChangeLog?cvsroot=gnash&r1=1.1525&r2=1.1526
http://cvs.savannah.gnu.org/viewcvs/gnash/server/swf/ASHandlers.cpp?cvsroot=gnash&r1=1.87&r2=1.88
Patches:
Index: ChangeLog
===================================================================
RCS file: /sources/gnash/gnash/ChangeLog,v
retrieving revision 1.1525
retrieving revision 1.1526
diff -u -b -r1.1525 -r1.1526
--- ChangeLog 5 Nov 2006 11:59:22 -0000 1.1525
+++ ChangeLog 5 Nov 2006 12:05:07 -0000 1.1526
@@ -1,7 +1,9 @@
2006-11-05 Sandro Santilli <address@hidden>
* server/swf/ASHandlers.cpp (ActionSubstring): early
- return if input string is undefined or null; attempt
+ return if input string is undefined or null, base
+ is out of range, size is negative or invalid (overflow
+ input length when added to base); attempt
to support negative base args (untested: ming unable
to output such opcode). See bug #18204.
Index: server/swf/ASHandlers.cpp
===================================================================
RCS file: /sources/gnash/gnash/server/swf/ASHandlers.cpp,v
retrieving revision 1.87
retrieving revision 1.88
diff -u -b -r1.87 -r1.88
--- server/swf/ASHandlers.cpp 5 Nov 2006 11:30:06 -0000 1.87
+++ server/swf/ASHandlers.cpp 5 Nov 2006 12:05:07 -0000 1.88
@@ -16,7 +16,7 @@
//
-/* $Id: ASHandlers.cpp,v 1.87 2006/11/05 11:30:06 strk Exp $ */
+/* $Id: ASHandlers.cpp,v 1.88 2006/11/05 12:05:07 strk Exp $ */
#ifdef HAVE_CONFIG_H
#include "config.h"
@@ -901,29 +901,58 @@
}
int size = int(size_val.to_number());
+ if ( size < 0 )
+ {
+ log_warning("Negative size passed to ActionSubString, "
+ "returning undefined");
+ env.drop(2);
+ env.top(0).set_undefined();
+ return;
+ }
+
int base = int(base_val.to_number());
int version = env.get_version();
const tu_string& str = string_val.to_tu_string_versioned(version);
+ // TODO: if 'base' or 'size' do not evaluate to numbers return
+ // the empty string (how do we check if they evaluate ??)
+
// negative base refer to index from end
// -1 is *last* character, otherwise
// they are 1-based index from start
if ( base < 0 ) base += str.length();
else base = base-1;
- // TODO: if 'base' or 'size' do not evaluate to numbers return
- // the empty string (how do we check if they evaluate ??)
+ if ( base < 0 || base >= str.length() )
+ {
+ log_warning("Invalid base passed to ActionSubString, "
+ "returning undefined");
+ env.drop(2);
+ env.top(0).set_undefined();
+ return;
+ }
+
+ if ( base+size > str.length() )
+ {
+ log_warning("size+based go beyond input string in ActionSubString, "
+ "returning undefined");
+ env.drop(2);
+ env.top(0).set_undefined();
+ return;
+ }
- assert(base >= 0);
+ assert(base >= 0);
+ assert(base < str.length() );
+ assert(size >= 0);
//log_msg("string: %s, size: %d, base: %d", str.c_str(), size, base);
// Keep base within range.
- base = iclamp(base, 0, str.length());
+ //base = iclamp(base, 0, str.length());
// Truncate if necessary.
- size = imin(str.length() - base, size);
+ //size = imin(str.length() - base, size);
// TODO: unsafe: use std::string::substr instead !
tu_string new_string = str.c_str() + base;